On implementation of efficient inline DDoS detector based on AATAC algorithm

Piotr Wiśniewski, Maciej Sosnowski, Wojciech Burakowski


Distributed Denial of Service (DDoS) attacks constitute a major threat in the current Internet. These cyber‑attacks aim to flood the target system with tailored malicious network traffic overwhelming its service capacity and consequently severely limiting legitimate users from using the service. This paper builds on the state-of-the-art AATAC algorithm (Autonomous Algorithm for Traffic Anomaly Detection) and provides a concept of a dedicated inline DDoS detector capable of real-time monitoring of network traffic and near-real-time anomaly detection.

The inline DDoS detector consists of two main elements: 1) inline probe(s) responsible for link-rate real-time processing and monitoring of network traffic with custom-built packet feature counters, and 2) an analyser that performs the near-real-time statistical analysis of these counters for anomaly detection. These elements communicate asynchronously via the Redis database, facilitating a wide range of deployment scenarios. The inline probes are based on COTS servers and utilise the DPDK framework (Data Plane Development Kit) and parallel packet processing on multiple CPU cores to achieve link rate traffic analysis, including tailored DPI analysis.

Full Text:



A. Zand, G. Modelo-Howard, A. Tongaonkar, S. -J. Lee, C. Kruegel and G. Vigna, “Demystifying DDoS as a Service,” in IEEE Communications Magazine, vol. 55, no. 7, pp. 14-21, July 2017,

DOI: 10.1109/MCOM.2017.1600980.

J. J. Santanna et al., “Booters — An analysis of DDoS-as-a-service attacks,” 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2015, pp. 243-251, DOI: 10.1109/INM.2015.7140298.

Apache documentation, ServerLimit Directive [online]. Available from: https://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit [Accessed 21.10.2022]

M. Sikora, T. Gerlich and L. Malina, “On Detection and Mitigation of Slow Rate Denial of Service Attacks,” 11th International

Congress on Ultra Modern Telecommunications and Control

Systems and Workshops (ICUMT), 2019, pp. 1-5,

DOI: 10.1109/ICUMT48472.2019.8970844.

H. Kaur, S. Behal and K. Kumar, “Characterisation and comparison of Distributed Denial of Service attack tools,” 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), 2015, pp. 1139 1145, DOI: 10.1109/ICGCIoT.2015.7380634.

G. Roudière and P. Owezarski, “A lightweight snapshot-based DDoS detector,” in Proc. of 2017 13th International Conference on

Network and Service Management (CNSM), 2017, pp. 1-7,

DOI: 10.23919/CNSM.2017.8256014.

J. Wang, R. C. . -W. Phan, J. N. Whitley and D. J. Parish, “Augmented Attack Tree Modeling of Distributed Denial of Services and Tree Based Attack Detection Method,” 2010 10th IEEE International Conference on Computer and Information Technology, 2010, pp. 1009-1014, DOI: 10.1109/CIT.2010.185.

Y. -C. Wu, H. -R. Tseng, W. Yang and R. -H. Jan, “DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis,” 2009 Third International Conference on Multimedia and Ubiquitous Engineering, 2009, pp. 306-314, DOI: 10.1109/MUE.2009.60.

A. Saied, R. E. Overill, and T. Radzik, “Detection of known and unknown DDoS attacks using Artificial Neural Networks,” Neurocomputing, vol. 172, January 2016, pp. 385–393,


X. Qin, T. Xu and C. Wang, “DDoS Attack Detection Using Flow Entropy and Clustering Technique,” 2015 11th International Conference on Computational Intelligence and Security (CIS), 2015, pp. 412-415, DOI: 10.1109/CIS.2015.105.

S. Ramaswamy, R. Rastogi and K. Shim, “Efficient algorithms for mining outliers from large data sets,” ACM SIGMOD Rec., vol. 29, no. 2, pp. 427-438, 2000.

R. Hofstede, V. Bartoš, A. Sperotto and A. Pras, “Towards real-time intrusion detection for NetFlow and IPFIX,” Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013), 2013, pp. 227-234, DOI: 10.1109/CNSM.2013.6727841.

G. Roudière and P. Owezarski, “Evaluating the Impact of Traffic Sampling on AATAC’s DDoS Detection” in Proc. of the 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC ‘18). Association for Computing Machinery, New York, NY, USA, 27–32.

DOI: 10.1145/3229598.3229605

M. Jin, C. Wang, P. Li and Z. Han, “Survey of Load Balancing Method Based on DPDK,” 2018 IEEE 4th International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing, (HPSC) and IEEE International Conference on Intelligent Data and Security (IDS), 2018, pp. 222-224, DOI: 10.1109/BDS/HPSC/IDS18.2018.00054.

Information about the TAMA project, Exatel webpage [online]. Available from: https://exatel.pl/en/research-and-development/exatel-tama/

[Accessed 21.10.2022]

S. Bradner, and J. McQuaid, “Benchmarking Methodology for Network Interconnect Devices”, RFC 2544, DOI: 10.17487/RFC2544, March 1999.

S. Bradner, “Benchmarking Terminology for Network Interconnection Devices”, RFC 1242, DOI: 10.17487/RFC1242, July 1991


  • There are currently no refbacks.

International Journal of Electronics and Telecommunications
is a periodical of Electronics and Telecommunications Committee
of Polish Academy of Sciences

eISSN: 2300-1933